Multiple vulnerabilities in Microsoft Protected Extensible Authentication Protocol
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2023-21701 CVE-2023-21691 CVE-2023-21692 CVE-2023-21690 CVE-2023-21689 CVE-2023-21695 |
| CWE-ID | CWE-20 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU72199
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-21701
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Microsoft Protected Extensible Authentication Protocol (PEAP). A remote attacker can send specially crafted PEAP packets to the system and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 10 - 11 22H2 10.0.22621.521
Windows Server: 2008 - 2022 20H2
External linkshttp://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21701
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds read
EUVDB-ID: #VU72198
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-21691
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in Microsoft Protected Extensible Authentication Protocol (PEAP). A remote attacker can send specially crafted PEAP packets to the affected system and read parts of heap memory from a privileged process running on the server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 10 - 11 22H2 10.0.22621.521
Windows Server: 2008 - 2022 20H2
External linkshttp://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21691
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU72197
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-21692
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in Microsoft Protected Extensible Authentication Protocol (PEAP). A remote attacker can send specially crafted PEAP packets to the system and execute arbitrary code.
Successful exploitation of the vulnerability requires that NPS is running on the Windows Server and has a network policy configured that allows PEAP.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 10 - 11 22H2 10.0.22621.521
Windows Server: 2008 R2 - 2022 20H2
External linkshttp://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21692
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU72196
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-21690
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in Microsoft Protected Extensible Authentication Protocol (PEAP). A remote attacker can send specially crafted PEAP packets to the system and execute arbitrary code.
Successful exploitation of the vulnerability requires that NPS is running on the Windows Server and has a network policy configured that allows PEAP.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 10 - 11 22H2 10.0.22621.521
Windows Server: 2008 R2 - 2022 20H2
External linkshttp://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21690
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU72195
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-21689
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in Microsoft Protected Extensible Authentication Protocol (PEAP). A remote attacker can send specially crafted PEAP packets to the system and execute arbitrary code.
Successful exploitation of the vulnerability requires that NPS is running on the Windows Server and has a network policy configured that allows PEAP.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWindows: 10 - 11 22H2 10.0.22621.521
Windows Server: 2008 R2 - 2022 20H2
External linkshttp://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21689
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU72194
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-21695
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within Microsoft Protected Extensible Authentication Protocol (PEAP). A remote user can send specially crafted PEAP packets to the system and execute arbitrary code.
Install updates from vendor's website.
Vulnerable software versionsWindows: 10 - 11 22H2 10.0.22621.521
Windows Server: 2008 - 2022 20H2
External linkshttp://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21695
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
